Answered by:
Windows Authentication from a different domain

Question
-
I have a Website running in our domain which has Windows Authentication enabled. I want this website open to public via Azure and still authenticate users based on their Windows credentials.
I am considering 2 options.
1. Host the Website on Azure and follow AD FS techniques to achieve Windows Authentication
2. Do not host the Website on Azure, but map (or domain alias) to a server (which has the Website) in our domain which is open to public.
I need your advice on this guys. Which is better? Can I achieve Windows Authentication if I go with option 2. How would option 1 be implemented?
Thanks much in advance
Tuesday, March 13, 2012 8:48 AM
Answers
-
Hi prudhvi,
I would go for a third option. Have the application run in Azure and use the Windows Azure AppFabric Access Control Service (ACS) to externalize the authentication part. That way, your application doesn't need to know where the authenticated users come from (Windows Live, GMail, ADFS, ...).
There are plenty of resources and examples on how you can integrated ACS with ADFS (and other identity providers) with your Azure application:
- http://acs.codeplex.com/wikipage?title=ACS%20Content%20Map
- http://claimsid.codeplex.com/releases/view/67606
If you go for option 2, you'll just go back to the 'prehistoric' setup where you have the server in your domain. Because this means you'll need to provide for the licenses, the hardware, the high availability, maintenance, ...
Sandrino
Sandrino Di Mattia | Twitter: http://twitter.com/sandrinodm | Azure Blog: http://fabriccontroller.net/blog | Blog: http://sandrinodimattia.net/blog
- Proposed as answer by Sandrino Di Mattia Wednesday, March 14, 2012 9:44 AM
- Marked as answer by Arwind - MSFT Wednesday, March 21, 2012 10:40 AM
Tuesday, March 13, 2012 12:50 PM
All replies
-
Hello.
Chech these links:
http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(v=ws.10).aspx
Tuesday, March 13, 2012 9:48 AM -
That helps Alexander. Thanks.
And what about option 2 - Not hosting the website on Azure but map to a server hosting the website on domain. Will this still qualify for enabling Windows Authentication?
Tuesday, March 13, 2012 10:35 AM -
Hi prudhvi,
I would go for a third option. Have the application run in Azure and use the Windows Azure AppFabric Access Control Service (ACS) to externalize the authentication part. That way, your application doesn't need to know where the authenticated users come from (Windows Live, GMail, ADFS, ...).
There are plenty of resources and examples on how you can integrated ACS with ADFS (and other identity providers) with your Azure application:
- http://acs.codeplex.com/wikipage?title=ACS%20Content%20Map
- http://claimsid.codeplex.com/releases/view/67606
If you go for option 2, you'll just go back to the 'prehistoric' setup where you have the server in your domain. Because this means you'll need to provide for the licenses, the hardware, the high availability, maintenance, ...
Sandrino
Sandrino Di Mattia | Twitter: http://twitter.com/sandrinodm | Azure Blog: http://fabriccontroller.net/blog | Blog: http://sandrinodimattia.net/blog
- Proposed as answer by Sandrino Di Mattia Wednesday, March 14, 2012 9:44 AM
- Marked as answer by Arwind - MSFT Wednesday, March 21, 2012 10:40 AM
Tuesday, March 13, 2012 12:50 PM -
Yes, it will be ok. But i agree with Sandrino about option 3, i think you should think about it.Tuesday, March 13, 2012 3:11 PM
-
Thanks Sandrino, that helps.
I will go ahead with the third option and will post again how the implementation went. Hopefully with a detailed step-by-step guide that can help the community.
Thanks much people.
Wednesday, March 14, 2012 4:52 AM -
Sandrino,
I agree with your comments on option 2. If all the catches - licenses, hardware and maintenance are achieved and taken care of, will it qualify for enabling Windows Authentication?
Thanks
Wednesday, March 14, 2012 5:00 AM -
Yes, if the server has a connection with your domain (ie: if the server is in the domain, if the server can access the domain controller through vpn, ...)
Sandrino Di Mattia | Twitter: http://twitter.com/sandrinodm | Azure Blog: http://fabriccontroller.net/blog | Blog: http://sandrinodimattia.net/blog
Wednesday, March 14, 2012 6:41 AM